← back
CVE-2018-19908

CVE-2018-19908

EPSS 17.2%
An issue was discovered in MISP 2.4.9x before 2.4.99. In app/Model/Event.php (the STIX 1 import code), an unescaped filename string is used to construct a shell command. This vulnerability can be abused by a malicious authenticated user to execute arbitrary commands by tweaking the original filename of the STIX import.
Affected products
n/a · n/a
public PoCs found2
cve_referencewww.exploit-db.com/exploits/46401/unverifiedexploitdbwww.exploit-db.com/exploits/46401unverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/MISP/MISP/commit/211ac0737281b65e7da160f0aac52f401a94e1a3https://github.com/MISP/MISP/releases/tag/v2.4.99https://www.exploit-db.com/exploits/46401/